On Mon, Jul 13, 2015 at 10:32:06AM +0200, Jiri Kosina wrote:
> If the credentials can be used both to push to ra.kernel.org and to access 
> your "local" copy of the GIT repo (on your notebook / desktop / storage), 
> I can just push the malicious commit (*) to both repos and you might not 
> notice immediately (because you wouldn't get non-fast-forward hint from 
> git).

This is mitigated somewhat by existing 2-factor mechanisms placed on
select git repositories.

https://korg.wiki.kernel.org/userdoc/gitolite_2fa

To successfully attack in this manner, you would need to push to
gitolite.kernel.org from an IP address that's been previously
2fa-validated by the developer.

Which brings me around to grumbling a bit -- since we've made 2-factor
auth available, only 30 people have set up a token[*] (not even 10% of all
account holders) and only 25 repositories/subdirs have a 2fa requirement
on them, out of 450 defined.

I'm far from suggesting that we make this mandatory, but I'm open to
any suggestions on how we can make more developers enroll with 2fa.

Best,
-- 
Konstantin Ryabitsev
Linux Foundation Collab Projects
Montréal, Québec

[*] Not counting a couple of people using GPG smartcards/yubikeys
    for their ssh authentication.